security and assurance lecture jan 14

Securing the Unsecured in Cyber Space
Creating Digital Trust in Cyber Era
Cyber Security Cyber Assurance
The need of Enterprises of Tomorrow

Prof. K. Subramanian
SM(IEEE), SMACM, FIETE, FNTF SMCSI,MAIMA,MAIS,MCFE,MISACA(USA)
EX-Professor & Director, Advanced Center for Informatics & Innovative
Learning (ACIIL), IGNOU
Former IT Adviser to CAG of India
Ex-SR.1DDG(NIC), Min of Communications & Information Technology
Former President, Cyber Society of India
Emeritus President, eISSA
Academic Advocate of ISACA (USA) in India

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014

1









Cyberspace is
Dynamic, Undefined
and Exponential
Countries’ need
dynamic laws,
keeping pace with
the technological
advancements
In a Virtual Space,
Netizens Exist,
Citizens Don’t!

Trust in E-environments



Lack of a mature IT
society



Absence of Single
governing body



Legislation



High skill inventory



Reduce fear of being
caught



Disgruntled Employees
15th April 2009

1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014
Prof.

2

2










"The poor have sometimes objected to being
governed badly; the rich have always objected to
being governed at all." G. K. Chesterton
“Ever since men began to modify their lives by using
technology they have found themselves in a series of
technological traps.” Roger Revelle
“The law is the last interpretation of the law given by the last
judge.”- Anon.
“Privacy is where technology and the law collide.”
--Richard Smith
(who traced the ‘I Love You’ and ‘Melissa viruses’)
"Technology makes it possible for people to gain
control over everything, except over technology"
John Tudor

Prof.

3

3

In the Era of Digital Age
•
•
•

•

•

Can all users be identified (e.g.,
employees, contractors, and business
partners)?
Do IT managers know what users
have access to?
Can all the interactions among users,
assets, and applications be identified?
Do IT managers have verifiable
evidence that controls are working,
and appropriate action takes place
when a policy infraction occurs? Does
this evidence exist in minutes rather
than months?
No one standard meets
requirements—Advise on specific
group standards (medical,
commerce/Trade services— Highend-KBPOS)

Ten Important Imperatives

•
•
•
•
•
•
•
•
•
•

IT & Law
Security & Risk
Business Integration
Value to the Enterprise
Alignment = collaboration
Governance and funding
IT sourcing & ITES
outsourcing
Performance Measures
Growing talent
Beyond customer service

Prof.

4

Perfect Security—A Dream
• "Perfect security is
not achievable,".
• "At the end of the
day, [the security
function] is about
managing the
frequency and
magnitude of loss."

• Concerns
PRIVACY
• vs
• SOCIETY
• SAFETY
•
SECURITY
• Trust

Prof.

5

“In security matters,
there is nothing like absolute security”
“We are only trying to build comfort levels,
because security costs money and lack of
it costs much more”
“Comfort level is a manifestation of efforts as
well as a realization of its effectiveness &
limitations’

6

Prof.

7

Cyber Threats 2013

Data,
 Mobility,
 Questions of
Responsibility


Prof.

8

8

15th April 2009

Prof.

9

9

eSecurity Technologies


Cryptography & Cryptology



Steganography



Digital Water Marking
Digital Rights Management
Cyber Defence technologies (Firewall,
IDS/IPS, Perimeter and Self-Defence )
Access Control &ID Management (Rule, Role,
Demand Based)
Signatures (Digital/Electronic)
Cyber Forensics & Cyber Audit







Prof.

10

10

Cyber Security – A Holistic View
Authentication
Threat Management Encryption
& Early Warning
Antivirus
Honey Pot
& Decoy
Firewall
Technology
Intrusion
Detection
Vulnerability
Assessment

Policy
Compliance

Proactive
Control

Event &
Incident Mgmt

Access Control
& Authorization
Identity
Config.
Attack
Mgmt
Mgmt
Recovery
Common Tools/Svcs
Console

VPN

Content
Updates &
Security
Response
24x7
Global
Customer
Support

Prof.
Source: Symantec Inc

11

LOSS OF
CREDIBILITY
INTERCEPTION
SOCIAL
ENGINEERING
ATTACK

ACCIDENTAL
DAMAGE

DATA EMBARRASSMENT
DIDDLING

AUTHORISATION
PROGRAM
CHANGE
SCAVENGING
DOCUMENTATION

PASSWORDS

VIRUS
ATTACK

AUDIT TRAILS

NATURAL
DISASTER
TROJAN
HORSES

INPUT
VALIDATIONS

ANTI-VIRUS
ENCRYPTION
SECURITY
GUARDS

FINANCIAL INCOMPLETE
LOSS PROGRAM
CHANGES
LOSS OF
CUSTOMERS

IS

BACKUPS

HARDWARE
MAINTENANCE
BUSINESS
CONTINUITY
PLAN

UNAUTHORISED
ACCESS

HARDWARE /
SOFTWARE
FAILURE

FRAUD
& THEFT
LOSING TO
12
COMPETITION

Prof.

Prof.

13

Government Policy Guidelines
• Policy on :Identity and Access Management: An eGovernance standards initiative to make e-Government
Programs and their services a reality
• Draft Document “e-Governance Information Security
Standard” (Version 01 dated 12th October 2006)--has
proposed additional security controls for E-Governance
purposes Viz., Data security and privacy protection,
Network security, and Application security;
• Draft Document “Base line security requirements &
Selection of controls” (Version 01, 12th October 2 006).

http://egovstandards.gov.in

Prof.

14

Strategy-Policy-Good Practice
• “Information Security Policy for Protection Critical
Information Infrastructure” (No. CERTIn/NISAP/01, issued on 1st May 2006) –Recent
Guidelines
• Information & Privacy Protection Policy, apart from IT
ACT & RTI ACTS
• Stopping Spam Before It Stops You – SPAM
Policy to be done
• Privacy/Data Protection Legislation-Underway
"Data disposal, anonymity, trust, privacy management,
and systems development activities are just a few of
the many privacy concerns organizations must
address and need to thoughtfully create a privacy
strategy that is clearly and consistently supported by
the KS@2014 csi chennai Lecture Cyber
1/6/2014 top business leaders." Security-->Cyber Assurance Jan 6,2014
Prof.
15

Corporate Governance
Business Assurance Framework
India Initiatives
Global Phenomena
• 1. Clause 49
• Combines Code of • 2. Basel II & III-RBI
UK and SOX of
• 3.SEBI- Corporate
USA
Governance
• Basel II & III
Implementation
directives
• Project
• 4.Risk managementGovernance
RBI & TRAI
• IT Governance
• 5. MCA Initiatives
• Human & Humane • New company Law
Governance
Prof.
16
2013

16

Learning From Experience
======================
==
1. The only source of knowledge is experience.
-- Einstein

2. One must learn by doing the thing; for though you think you
know it, you have no certainty, until you try.
-- Sophocles

3. Experience is a hard teacher because she gives the test first,
and the lesson afterwards.
-- Vernon Sanders Law
4. Nothing is a waste of time if you use the experience wisely.
-- Rodin


17

Known Threat Assessment Approaches

•

Privilege Graph [Dacier et al. 94]
•
•

•

Attack Graph [Philips et al. 98, 01,
02]
•
•

•

Vertices/nodes represent privilege
states
Edges/arcs represent privilege
escalation

Vertices/nodes represent network
states
Edges/arcs represent atomic
exploits

Shortcomings
•
•

•
•

Too many details, very finegrained
Without automation, model
instantiation is cumbersome
Model-checking can help, but
state explosion problem
Insider attacks may succeed
without privilege escalation or
vulnerabilities

Recent Insider Threat Mitigation Tools

• Skybox View
• Sureview from Oakley
Networks
• iGuard from Reconnex
• Content Alarm from
Tablus
• Vontu from Vontu, Inc.
• Rule-based techniques
• Detect policy violations
• Forensics analysis

Prof.

18

SEMANTIC ISSUES

CERTIFICATION

What is certification; what does
it denote and mean?

TECHNOLOGICAL ISSUES
How is certification achieved?
How are the prerequisites and
context for certification established?

What are the principal concepts
and elements of certification

What is it you are certifying?
(Object of certification)

What additional concepts and
notions are expressed and
implied by certification?

Certification with respect to what?
(Business for certification)

What is the Intent of the
certification; what is it you are
trying to do in certifying
something?

What relation must exist for
certification?
(Object/basis relation)

ADMINISTRATIVE
ISSUES

What activities/decisions are
prerequisite for certification?

Who does the certification?
Who is the recipient of the
certification?

How and when is certification to
be conducted?

What is the significance of the
certification for the certifier?
What is the significance of the
certification for the recipient?
Why certify?

Prof.

19

Security Assurance - Expectations

“To determine how much is too much, so that
we can implement appropriate security
measures to build adequate confidence and
trust”
“To derive a powerful logic for implementing or not
implementing a security measure”

20

Managing Interdependencies
Critical in Enterprises/Institutions
• Infrastructure characteristics (Organizational,
operational, temporal, spatial)

• Environment (economic, legal /regulatory, technical,
social/political)

• Coupling and response behavior

(adaptive,

inflexible, loose/tight, linear/complex)

• Type of failure (common cause, cascading, escalating)

• Types of interdependencies
(Physical, cyber, logical, geographic)

• State of operations
(normal, stressed /disrupted, repair/restoration )

.

21

Identity Management
• Identity management is not new, but has evolved
from the days of a single password entry onto the
network to a comprehensive set of processes and
systems that make it easier for all users to access
information in real time and in a much more secure
manner
• ID management tend to center on the technical
improvements in system security, the more important
benefits are the opportunities gained by collaborating
with vendors, suppliers, and customers across the
supply chain.
• A real value of an [ID management] solution enables
ultimately this wide range of business enterprise.

22

Biometric System Operates on

•Verification
•Identification

23

Biometrics
Biometrics

Prof.

24

Layered E-trust Framework

Computing E-trust
Services
Shared E-trust
Applications

Trusted Digital Identity
Infrastructure

PKI Technology

Single e-trust

Applications

B2B, B2C, SET, C2C

Infrastructure
Layer 2 Service Provider
Layer 2 Service Provider
example: Identrus
example IDENTRUS

Prof.

25

Present Risk Certification Issues
Trust
• Trust cannot be bought or sold. It has to be
created
• Trust is earned and not given away.
• Trusted third party or a trusted CA
raises
- trusted in relationship to whom
- trusted by whom?
- trusted for what?
- trusted for how long?


26

9 Rules of Risk Management
•

There is no return without risk
•

•

Be Transparent
•

•

A consistent and rigorous approach will
beat a constantly changing strategy

Use common sense
•

•

Multiple risk will produce more consistent
rewards

Sow Discipline
•

•

Risk should be discussed openly

Diversify
•

•

Question the assumptions you make

Communicate
•

•

Risk is measured, and managed by
people, not mathematical models.

Know what you Don’t know
•

•

Rewards to go to those who take risks.

It is better to be approximately right, than
to be precisely wrong.

Return is only half the question
•

Decisions to be made only by considering
the risk and return of the possibilities.

RiskMetrics Group

Prof.

27

• UNIVERSALITY: Each person should have
the characteristics
• Distinctiveness: Any two persons should be
different in terms of the characteristic.
• Permanence: The characteristic should be
sufficiently in-variant (w.r.to the matching
criterion) over a period of time.
• Collectability: The characteristic should be
quantatively measurable.

Prof.

28

28

• Uniform Naming convention-absence
• Birth & Death registration-Incomplete
• No social security registration number
• Absence of Identity such as phones,
driving licenses available with every body
• Electoral ID DB- Complete set not there
but at least covers 600-650 m records-not
auditable and verifiable
• Absence of PAN & other ID number for
everybody-Not auditable & verifiable
Prof.

29

• By Possession
• Password
• Static
• Dynamic

• By Association
• PIN/TOKEN
• By Card
• By Biometrics

• By Government

• PAN(TAXATION)
• Passport
• Social Security
Number
• Citizenship ID NO.
• Senior Citizen
NUMBER

Prof.
Cognizant Address

23rd June 2005

30

30

•
•
•
•
•
•

Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Remote Authentication Dial-In User Service (RADIUS)
Lightweight Directory Access Protocol (LDAP)
Microsoft ’s Active Directory
Novell Directory Services (NDS)

• Public Key Infrastructure (PKI)

Prof.

31

• Most enterprises have no common, unified
database of user profiles, access rights, and
device identity. This situation has put the
integrity of core infrastructure network
services in jeopardy in the following areas:
• Security.
• Reliability.
• Cost.
• Software Version Control.
• Scalability.
Prof.

32



Internal Competition
from Liberalization



Learn more about own
Businesses.



World Competition from
Globalization



Reach out to all Business &
Function Heads.



Entrenched Competition
Abroad



Sharpen Internal
Consultancy Competences.



Asymmetry in Scale,
Technology, Brands



Proactively Seize the
Repertoire of MS & Partners



Foster two way flow of IS &
Line Talent.



Industry Shakeouts and
Restructuring

15th April 2009

Prof.

33

33

Key Areas of Assurance
• Organizational
- Systems in place to identify & mitigate differing risk perceptions of
stakeholders to meet business needs

• Supplier
- Confidence that controls of third party suppliers adequate & meets
organization’s benchmarks

• Business Partners
- Confirmation that security arrangements with partners assess & mitigate
business risk

• Services & IT Systems
- Capability of developers, suppliers of IT services & systems to implement
effective systems to manage risks to the organization’s business
Prof.

34

34

Benefits of Assurance
• Contributes to effectiveness & efficiency of business operations
• Ensures reliability & continuity of information systems
• Assists in compliance with laws & regulations
• Assures that organizational risk exposure mitigated
• Confirms that internal information accurate & reliable
• Increases investor and lenders confidence

15th April 2009
15th April 2009

Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009

Prof.

35

35

Cyber Assurance Framework
• Insurance-Protection of classified assets
• Audit—Gives comfort level (Internal/External)
• Pre audit
• Concurrent audit
• Post audit

• Assurance-More degree of comfort as it is multilayered.
•
•
•
•
•
•

Management
Operational
Technology/technical
Network
Legal
Impact

Standards, Standards, Standards
Technical Vs Management













Security
Audit
Interoperability
Interface
(systems/devises/communications)
Architecture/Building
Blocks/reusable
HCI (Human Computer Interface)
Process (Quality & Work)
Environmental (Physical, Safety,
Security)
Data Interchange & mail messaging
(Information/Data Exchange)
Layout/Imprint
BCM





Technical StandardsSpecifications-mainly
for interoperability,
accessibility and
Interactivity
Management
standards-Auditable &
Verifiable-Certification
& Compliance
15th April 2009
15th April 2009


Prof.

37

37

Importance of Group Standards -no one standard meets all requirements
ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL

Mission

Business Objectives
Business Risks
Applicable Risks
Internal Controls
Review

Prof.

38

Transition: Insurance Assurance
&
Assurance Layered Framework
•
•
•

•
•
•

Insurance
Audit
Pre, Concurrent, Post
•
•
•
•
•
•
•

•
•

IT Audit
Environmental
Operational
Technology
Network
Financial
Management
Impact

Electronics Continuous Audit
Certification
Assurance

•

•
•

Management
Assurance(GRC)
Operational Assurance
(Risk & ROI)
Technical Assurance
(Availability, Serviceability
& Maintainability)
Revenue Assurance
(Leakage & Fraud)
Legal Compliance &
Assurance (Governance)

Prof.

39

Cyber Governance Components
• Environmental & ICT
Infrastructure



• Operational (logistics
Integration)
• Technology (synergy &
Convergence)
• Network (multi Modal
Network)
• Management (HRM &
SCM &CRM)







Operational Integration
(Functional)
Professional Integration
(HR)
Emotional/Cultural
Integration
Technology Integration

• Impact (feed-back
correction)

Prof.

40

Legislative Trust &Techno-Legal issues &
Amendment to IT Act or Legislation of New Acts
• Authentication for retrieval
• Authorized access and control
of access
• Security standards for
certification and mandatory
for compliance for Electronic
Achieves
• Information/Data Protection
(Privacy and Piracy)
• Information management and
Continuous preservation in
Electronic Archives
• Information Assurance and
Auditability

Legal/Regulatory
Framework & Attributes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of information

Prof.

41 41

“IT Regulations and Policies-Compliance &
Management”
Pre-requisites Physical Infrastructure and Mind-set
• PAST: We have inherited a past, for which we cannot be held
•

responsible ;
PRESENT: have fashioned the present on the basis of
development models, which have undergone many mid-course
corrections

• FUTURE: The path to the future -- a future in which India and
Indians will play a dominant role in world affairs -- is replete with
opportunities and challenges.
In a number of key areas, it is necessary Break from the past in
order to achieve our Vision.
We have within ourselves the capacity to succeed

We have to embrace Integrated Security & Cyber Assurance
Framework
Prof.

42

Prof.

43
43

CXO~CEO Internal Strategic
Alliances


CIO & CEO
Business Led Info. strategy



CIO & CMO
Competitive Edge & CVP



The Productivity/Performance
Promise

•
•

CIO & CTO

Cost-Benefit Optimization

•



CIO & CFO
Shareholder Value Maximization

•



CIO & CHRO

Employee Performance and Rewards


CIO & Business Partners

Virtual Extended Enterprise

•
•

Capital Productivity
(ROI, EVA, MVA)
Material Productivity
(60% of Cost)
Managerial Productivity
(Information Worker)
Labour Productivity
(Enabled by IW)
Company Productivity
Micro
Factor Productivity
Macro

Prof.

44

Towards Information/Business
Assurance

• Increasingly, the goal isn't about information
security but about information/Business
assurance, which deals with issues such as
data/information availability and integrity.
• That means organizations should focus not
only on risk avoidance but also on risk
management. "You have to be able to
evaluate risks and articulate them in business
terms“
--Jane Scott-Norris, CISO at the U.S.
State Department

45

Comparison of Seals
WEB Certification
Security
of Data

Business
Policies

Transaction
Processing
Integrity

Product

Cost

Privacy
of Data

BBB Online

Low

No

No

Lightly
Covered

No

TRUSTe

Low

Yes

No

No

No

Veri-Sign

Low to
Medium

No

Yes: Data
Transmittal
No: Data Storage

No

No

ICSA

High

Yes

Yes

Somewhat
Covered

Lightly
Covered

WebTrust

High

Yes

Yes

Yes

Yes

Prof.

46

Security Governance Maturity Model

Prof.

47
47

Cyber Forensics & Cyber Frauds
•
•
•
•
•
•
•
•

Digital forensics
Email forensics
Image forensics
Video Forensics
Storage Forensics
Audio Forensics
Network forensics
Data/Information forensics

Prof.

48

Types of Frauds
Conflict of Interest

Nepotism

Gratuities

False Statements

Omissions

Favoritism

False Claims

Forgery

Kickbacks

Misappropriation

Conspiracy

Alterations

Breach of Duty

Bribery

Substitution

Impersonation

Embezzlement

Extortion

Prof.

49

Common Red Flags Signaling
Management Fraud
o Management decisions are dominated by an individual
or small group.
o Managers’ accounting attitudes are unduly
aggressive.
o Managers place much emphasis on meeting earnings
projections.
o Management’s business reputation is poor.
o Management has engaged in opinion shopping.
o Managers are evasive responding to auditors’ queries.
o Managers engage in frequent disputes with auditors.
o Managers display significant disrespect for regulatory
bodies.
Prof.
o 1/6/2014 KS@2014 csi chennai Lectureinternal control environment.
Company has a weak Cyber Security-->Cyber Assurance Jan 6,2014 50

Common Red Flags Signaling
Management Fraud
o Company accounting personnel are lax or
inexperienced in their duties.
o Company employs inexperienced managers.
o Company is in a period of rapid growth.
o Company profit lags the industry.
o Company has going concern problems (bankruptcy).
o Company is decentralized without adequate
monitoring.
o Company has many difficult accounting measurement
and presentation issues.
o The company may be offered for sale.
Prof.
51
o The company makes acquisitions using its stock.

Common Red Flags Signaling Employee
Fraud
o Customer
o Missing
complaints.
documents.
o Adjustments to
o Unusual
receivables and
endorsements on
payables.
checks.
o Increased past due
o Unexplained
receivables.
adjustments to
o Inventory shortages.
inventory
o General ledger does
balances.
not balance.
o Unexplained
adjustments to
accounts
Prof.
52
receivable.

Common Red Flags Signaling Employee
Fraud
o Increased scrap.
o Alterations on
documents.
o Duplicate
payments.
o Employees cannot
be found.
o Documents
photocopied
o Dormant accounts
become active.
o Common names or
addresses for
Prof.
53
refunds.
o Old items in bank
reconciliations.
o Old outstanding
checks.
o Unusual patterns
in deposits in
transit.
o Cash shortages
and overages.
o Excessive voids
and credit
memos.

“Honest Abraham” Lincoln
After angrily turning
down a bribe, he said,
“Every man has his
price, and he was
getting close to mine.”
Under the right set of
circumstances anyone could
become a fraud perpetrator.
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014

54

IT Security predictions 2014
1.Pirated software*
Pirated software will drive insecurity in much
more dynamic ways than previously realized.
Users of pirated software are afraid to
download updates, thus are exposed to
security risks because their software is
entirely unpatched. Also, newer versions of
pirated software now come with malware preinstalled. As a result, users of pirated
software will become the new “Typhoid
Marys” of the global computing community.
*IBM's X-Force research team

55

IT Security Predictions 2013
2.social networks and ups the ante
Social engineering meets social networks and ups the
ante for creative compromises. Criminal
organizations are increasingly sophisticated in how
they attack different social networking sites. For
example, Twitter is being used as a distribution
engine for malware. LinkedIn, however, is being used
for highly targeted attacks against high-value
individuals. We will see these organizations use
these sites in creative new ways in 2010 that will
accelerate compromises and identity theft, especially
as new commercial applications increase the
disclosure of valuable personal information on these
sites.

56

3.0 Criminals take to the cloud
Criminals take to the cloud. We have
already seen the emergence of “exploits
as a service.” In 2013 we will see
criminals take to cloud computing to
increase their efficiency and
effectiveness.


57

• a rise in attacks on health care
organizations will occur for similar
reasons,
• continued attacks on retailers big and
small, tax authorities,
• school systems - anywhere where lots
of records are kept by organizations that
haven't traditionally had best practice
security in place

58

Security & Governance - Final Message

“In Governance matters
Past
is no guarantee;
Present is imperfect
&
Future is uncertain“
“Failure is not when we fall down, but when we fail 6,2014 59
1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan to get up”
Prof.

Let us Secure and Cyber Assure our Enterprises by Good Governance

FOR FURTHER
INFORMATION PLEASE
CONTACT :






E-MAIL:
ksdir@nic.in

ksmanian48@gmail.com

ksmanian1948@gmail.c
om


ksmanian20032004@ya
hoo.com




91-11-22723557

Prof.

60

security and assurance lecture jan 14

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (15)

Similaire à security and assurance lecture jan 14

Similaire à security and assurance lecture jan 14 (20)

Plus de subramanian K

Plus de subramanian K (20)

Dernier

Dernier (20)

security and assurance lecture jan 14